DORA

Overview

The Digital Operational Resilience Act (DORA) establishes uniform requirements for the security and resilience of network and information systems supporting the business processes of financial entities. It also creates a framework for oversight of critical ICT third-party service providers.^[1]

DORA is a regulation, meaning it applies directly across all EU Member States without transposition.

Entities in Scope

Financial Entities^[2]

• Credit institutions (banks)
• Payment institutions
• E-money institutions
• Investment firms
• Insurance and reinsurance undertakings
• Central securities depositories
• Trade repositories
• Credit rating agencies
• Crypto-asset service providers
• Crowdfunding service providers
• Data reporting service providers

Critical ICT Third-Party Providers

The European Supervisory Authorities designate critical ICT service providers based on:

• Systemic impact if provider fails
• Degree of substitutability
• Number of financial entities relying on provider

Designated providers are subject to EU oversight framework.

Five Pillars of DORA

1. ICT Risk Management (Chapter II)

Financial entities must establish and maintain:

• Governance: Board responsibility for ICT risk strategy
• Risk framework: Identification, protection, detection, response, recovery
• Documentation: Policies, procedures, and protocols for ICT security
• Testing: Regular evaluation of ICT systems and tools

2. ICT Incident Reporting (Chapter III)^[3]

Major ICT-related incidents must be reported using standardized templates.

3. Digital Operational Resilience Testing (Chapter IV)

Testing must cover: vulnerability assessments, network security assessments, software security reviews, source code reviews (where feasible), scenario-based testing, and compatibility testing.

4. Third-Party Risk Management (Chapter V)^[4]

Financial entities must:

• Maintain register of all ICT third-party arrangements
• Conduct due diligence before contracting
• Assess concentration risks
• Include mandatory contractual provisions
• Define exit strategies
• Report arrangements to competent authorities

Mandatory contract terms include service level descriptions, data protection obligations, access and audit rights, incident reporting requirements, and termination rights with transition support.

5. Information Sharing (Chapter VI)

Financial entities may exchange cyber threat information within trusted communities, subject to confidentiality rules, to enhance collective defense.

Proportionality

DORA applies proportionality based on entity size and risk profile, nature, scale, and complexity of services, and systemic importance.

Simplified requirements apply to small and non-interconnected investment firms, payment and e-money institutions below certain thresholds, and certain insurance intermediaries.

Penalties

Competent authorities may impose:^[5]

• Administrative fines
• Periodic penalty payments
• Public statements
• Withdrawal of authorization
• Temporary bans on management functions

Specific amounts determined by Member State law.

Developer and ICT Provider Implications

If you provide ICT services to financial sector:

1. Contract review: Ensure contracts meet DORA requirements
2. Incident reporting: Establish reporting channels to clients
3. Testing support: Facilitate client penetration testing
4. Exit planning: Enable orderly transition if contracts terminate
5. Concentration awareness: Monitor dependencies on your services
6. Critical designation: Prepare for potential EU oversight